thinkwork-cli 0.8.2 → 0.9.1

package/dist/terraform/modules/data/compliance-audit-bucket/variables.tf

@@ -0,0 +1,93 @@
+################################################################################
+# Compliance Audit Bucket — Variables
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID. Used in the anchor Lambda role's trust policy as an aws:SourceAccount condition for confused-deputy defense — even if a malicious principal somehow obtained the role's ARN, they would need to assume it from inside this account."
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region. Used in the anchor Lambda role's trust-policy aws:SourceArn pin to constrain AssumeRole to the predictable function ARN `arn:aws:lambda:{region}:{account_id}:function:thinkwork-{stage}-api-compliance-anchor`. Required. Whitespace is rejected (a trailing space silently produces a malformed ARN that never matches at AssumeRole time)."
+  type        = string
+
+  validation {
+    condition     = length(var.region) > 0 && var.region == trimspace(var.region)
+    error_message = "region must be non-empty and free of leading/trailing whitespace. A whitespace-padded value silently produces a malformed aws:SourceArn that never matches."
+  }
+}
+
+variable "compliance_reader_secret_arn" {
+  description = "ARN of the Secrets Manager secret holding the `compliance_reader` Aurora role credentials (Phase 3 U2). The U8a anchor Lambda's anchor_secrets policy enumerates this ARN explicitly."
+  type        = string
+
+  validation {
+    condition     = length(var.compliance_reader_secret_arn) > 0
+    error_message = "compliance_reader_secret_arn must be non-empty."
+  }
+}
+
+variable "compliance_drainer_secret_arn" {
+  description = "ARN of the Secrets Manager secret holding the `compliance_drainer` Aurora role credentials (Phase 3 U2 / PR #887). The U8a anchor Lambda uses this to UPDATE compliance.tenant_anchor_state."
+  type        = string
+
+  validation {
+    condition     = length(var.compliance_drainer_secret_arn) > 0
+    error_message = "compliance_drainer_secret_arn must be non-empty."
+  }
+}
+
+variable "bucket_name" {
+  description = "Name of the compliance audit-anchor S3 bucket (master-plan canonical: thinkwork-{stage}-compliance-anchors)"
+  type        = string
+}
+
+variable "kms_key_arn" {
+  description = "ARN of the customer-managed KMS key used for SSE-KMS encryption of anchor objects. Must be non-empty - wired from module.kms.key_arn at the composite root."
+  type        = string
+
+  validation {
+    condition     = length(var.kms_key_arn) > 0
+    error_message = "kms_key_arn must be non-empty. Check that module.kms is enabled in the composite root (var.create_kms_key = true)."
+  }
+}
+
+variable "mode" {
+  description = "S3 Object Lock retention mode. GOVERNANCE allows a privileged role with s3:BypassGovernanceRetention to delete or shorten retention; COMPLIANCE is irreversible (even AWS root cannot delete or shorten until retention expires). Default GOVERNANCE per master plan Decision #2; flip to COMPLIANCE in prod via tfvars at audit-engagement time."
+  type        = string
+  default     = "GOVERNANCE"
+
+  validation {
+    condition     = contains(["GOVERNANCE", "COMPLIANCE"], var.mode)
+    error_message = "mode must be either GOVERNANCE or COMPLIANCE."
+  }
+}
+
+variable "retention_days" {
+  description = "Default Object Lock retention in days, applied to every PutObject under the anchors/ prefix unless an explicit per-object retention overrides it. SOC2 Type 1 baseline is 12 months (365)."
+  type        = number
+  default     = 365
+
+  validation {
+    condition     = var.retention_days > 0
+    error_message = "retention_days must be greater than 0."
+  }
+}
+
+# Phase 3 U8b — explicit override for COMPLIANCE-mode in non-prod stages.
+# COMPLIANCE mode is irreversible; once any object is written under it, that
+# object is undeleteable for the full retention window — even AWS root cannot
+# remove it. Defaulting to false keeps a "stage typo" (stage = "prod-canary"
+# instead of "prod") from silently producing an unrecoverable dev bucket. The
+# operator must set this true in tfvars at audit-engagement time on the
+# specific non-prod stage that should run COMPLIANCE.
+variable "allow_compliance_in_non_prod" {
+  description = "Permit var.mode = COMPLIANCE on non-prod stages. Default false. Set true ONLY at audit-engagement time on the specific non-prod stage where COMPLIANCE is intended; the bucket's WORM bytes are unrecoverable once retention starts."
+  type        = bool
+  default     = false
+}

package/dist/terraform/modules/data/compliance-exports-bucket/main.tf

@@ -0,0 +1,269 @@
+################################################################################
+# Compliance Exports Bucket — Data Module (U11.U2)
+#
+# Ephemeral S3 bucket for SOC2 walkthrough export artifacts produced by the
+# U11 export runner Lambda. Distinct from the WORM-protected
+# compliance-audit-bucket: this is a 7-day-lifecycle short-lived artifact
+# bucket; nothing here is the system of record. The system of record is
+# `compliance.audit_events` in Aurora; the runner just rematerializes
+# filtered slices into CSV/NDJSON for auditor download.
+#
+# Why not Object Lock:
+#   - Exports are derivable from the Aurora rows + the runner code; losing
+#     an export does not lose evidence.
+#   - Object Lock + 7-day retention is incoherent (the lock makes the
+#     object undeleteable for 7 days then it does become deletable, which
+#     is just a reverse-engineered version of expiration with extra cost).
+#   - Auditors want a presigned URL that works for ~15 minutes; the bucket
+#     itself is plumbing, not a trust anchor.
+#
+# Why versioning suspended:
+#   - Export artifacts are write-once-by-name (key includes jobId UUID); a
+#     second write would imply a runner bug, not a legitimate update. We
+#     prefer the second write to fail noisily on a precondition rather than
+#     silently produce a v2 object.
+#
+# Bucket policy (defense-in-depth):
+#   - EnforceHTTPS: deny any s3:* over plain HTTP.
+#
+# IAM role (runner Lambda's eventual identity, defined below):
+#   - Allow s3:PutObject + s3:GetObject + s3:GetObjectAttributes +
+#     s3:AbortMultipartUpload on ${bucket}/* (any prefix; runner picks).
+#   - Allow s3:ListBucket on ${bucket} (multipart upload listing).
+#   - Explicit Deny on every other S3 ARN (NotResource defense).
+#
+# Inert seam (U11.U2):
+#   - Module ships the role; the standalone Lambda function in
+#     terraform/modules/app/lambda-api/handlers.tf assumes this role.
+#   - The Lambda body is a stub that throws "not implemented" —
+#     U11.U3 swaps in the live runner.
+################################################################################
+
+resource "aws_s3_bucket" "exports" {
+  bucket = var.bucket_name
+
+  # Hardcoded false — even though objects expire after 7 days, an
+  # accidental terraform destroy on a bucket holding in-flight export
+  # artifacts would interrupt an auditor mid-download.
+  force_destroy = false
+
+  tags = {
+    Name       = var.bucket_name
+    Stage      = var.stage
+    Purpose    = "compliance-exports"
+    Expiration = "${var.expiration_days}d"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "exports" {
+  bucket = aws_s3_bucket.exports.id
+
+  # Suspended — write-once-by-jobId; we don't want v1/v2 of the same key.
+  versioning_configuration {
+    status = "Suspended"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "exports" {
+  bucket = aws_s3_bucket.exports.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "exports" {
+  bucket = aws_s3_bucket.exports.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "exports" {
+  bucket = aws_s3_bucket.exports.id
+
+  rule {
+    id     = "exports-expiration"
+    status = "Enabled"
+
+    # Apply to every object — exports always live in keyed prefixes the
+    # runner picks, but the lifecycle is uniform across the bucket.
+    filter {}
+
+    expiration {
+      days = var.expiration_days
+    }
+
+    # Belt-and-suspenders for any failed multipart uploads — abort after
+    # 1 day so we don't accumulate orphaned upload IDs.
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 1
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "exports" {
+  bucket = aws_s3_bucket.exports.id
+
+  depends_on = [aws_s3_bucket_public_access_block.exports]
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid       = "EnforceHTTPS"
+        Effect    = "Deny"
+        Principal = "*"
+        Action    = "s3:*"
+        Resource = [
+          aws_s3_bucket.exports.arn,
+          "${aws_s3_bucket.exports.arn}/*",
+        ]
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      },
+    ]
+  })
+}
+
+################################################################################
+# IAM role for the runner Lambda (U11.U3 will assume this role; in U11.U2
+# the standalone Lambda function references this role's ARN, but its body
+# is the inert stub).
+################################################################################
+
+resource "aws_iam_role" "runner_lambda" {
+  name = "thinkwork-${var.stage}-compliance-export-runner-role"
+
+  # Trust policy: Lambda service principal + account-pin only.
+  #
+  # We do NOT pin `aws:SourceArn` to the function ARN. The runner is
+  # invoked via `aws_lambda_event_source_mapping` (SQS → Lambda); when
+  # AWS Lambda calls `sts:AssumeRole` to validate the mapping at
+  # CreateEventSourceMapping time, the `aws:SourceArn` context key is
+  # the SQS queue ARN, not the Lambda function ARN. Pinning to the
+  # function ARN — even with `StringEqualsIfExists` — caused "Please
+  # add Lambda as a Trusted Entity for ..." failures
+  # (deploy runs 25557118131 and 25560679065).
+  #
+  # `aws:SourceAccount` strict-equals is the substantive confused-deputy
+  # guard — even if the role ARN leaks, only this account can use it.
+  # The Lambda service principal restriction in `Principal` keeps
+  # non-Lambda services from assuming.
+  #
+  # The anchor Lambda role (compliance-audit-bucket) keeps a strict
+  # SourceArn pin to the function ARN because it's scheduler-triggered;
+  # EventBridge Scheduler always passes the function ARN as SourceArn.
+  # SQS event source mapping does not — that's what makes this role
+  # different.
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+      Condition = {
+        StringEquals = {
+          "aws:SourceAccount" = var.account_id
+        }
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "runner_basic" {
+  role       = aws_iam_role.runner_lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy" "runner_s3_allow" {
+  name = "exports-s3-allow"
+  role = aws_iam_role.runner_lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "ExportsObjectsAllow"
+        Effect = "Allow"
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:GetObjectAttributes",
+          "s3:AbortMultipartUpload",
+        ]
+        Resource = "${aws_s3_bucket.exports.arn}/*"
+      },
+      {
+        Sid    = "ExportsBucketAllow"
+        Effect = "Allow"
+        Action = [
+          "s3:ListBucket",
+          "s3:ListBucketMultipartUploads",
+          "s3:GetBucketLocation",
+        ]
+        Resource = aws_s3_bucket.exports.arn
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "runner_secrets" {
+  count = length(var.database_secret_arn) > 0 ? 1 : 0
+  name  = "exports-runner-secrets"
+  role  = aws_iam_role.runner_lambda.id
+
+  # The runner reads the writer-pool DB credentials at module-load via
+  # GetSecretValue. Without this grant the runner throws AccessDenied
+  # at the first SQS-triggered invocation (deploy run 25561658625
+  # failed the smoke gate with this exact error). Scoped to the single
+  # secret ARN — no wildcard.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "RunnerDatabaseSecretRead"
+        Effect   = "Allow"
+        Action   = ["secretsmanager:GetSecretValue"]
+        Resource = var.database_secret_arn
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "runner_s3_deny_other_buckets" {
+  name = "exports-s3-deny-other-buckets"
+  role = aws_iam_role.runner_lambda.id
+
+  # Defense-in-depth: even if a future inline-policy attachment or AWS-
+  # managed-policy widens the role's S3 grants, this explicit deny
+  # restricts the runner to the exports bucket only. NotResource ensures
+  # the deny applies to every S3 ARN that ISN'T the exports bucket.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "DenyAllOtherS3Buckets"
+        Effect = "Deny"
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:ListBucket",
+          "s3:AbortMultipartUpload",
+        ]
+        NotResource = [
+          aws_s3_bucket.exports.arn,
+          "${aws_s3_bucket.exports.arn}/*",
+        ]
+      },
+    ]
+  })
+}

package/dist/terraform/modules/data/compliance-exports-bucket/outputs.tf

@@ -0,0 +1,23 @@
+################################################################################
+# Compliance Exports Bucket — Outputs
+################################################################################
+
+output "bucket_name" {
+  description = "Name (id) of the compliance exports S3 bucket."
+  value       = aws_s3_bucket.exports.id
+}
+
+output "bucket_arn" {
+  description = "ARN of the compliance exports S3 bucket."
+  value       = aws_s3_bucket.exports.arn
+}
+
+output "runner_role_arn" {
+  description = "ARN of the IAM role the U11 export runner Lambda assumes. Inert in U11.U2 — the function exists with a stub body until U11.U3."
+  value       = aws_iam_role.runner_lambda.arn
+}
+
+output "runner_role_name" {
+  description = "Name of the IAM role the runner Lambda assumes. Used by sibling app-tier modules that need to attach inline policies (e.g., DLQ SendMessage, SQS receive) to this role without re-deriving the name from the ARN."
+  value       = aws_iam_role.runner_lambda.name
+}

package/dist/terraform/modules/data/compliance-exports-bucket/variables.tf

@@ -0,0 +1,50 @@
+################################################################################
+# Compliance Exports Bucket — Variables
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage."
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID. Pinned in the runner Lambda's trust policy as aws:SourceAccount for confused-deputy defense."
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region. Used in the runner Lambda's trust-policy aws:SourceArn pin to constrain AssumeRole to the predictable function ARN `arn:aws:lambda:{region}:{account_id}:function:thinkwork-{stage}-api-compliance-export-runner`."
+  type        = string
+
+  validation {
+    condition     = length(var.region) > 0 && var.region == trimspace(var.region)
+    error_message = "region must be non-empty and free of leading/trailing whitespace."
+  }
+}
+
+variable "bucket_name" {
+  description = "Name of the compliance exports S3 bucket. Canonical pattern: `thinkwork-{stage}-compliance-exports`."
+  type        = string
+
+  validation {
+    condition     = length(var.bucket_name) > 0
+    error_message = "bucket_name must be non-empty."
+  }
+}
+
+variable "database_secret_arn" {
+  description = "ARN of the Secrets Manager secret holding the writer-pool DB credentials. The runner Lambda reads this at module-load to construct the Aurora connection string for INSERT/UPDATE on compliance.export_jobs and SELECT on compliance.audit_events. Default empty so existing module consumers don't break before they wire it; the runner throws a deterministic error if unset at runtime."
+  type        = string
+  default     = ""
+}
+
+variable "expiration_days" {
+  description = "Number of days an export object lives before lifecycle expiration. SOC2 walkthrough auditors typically download artifacts within hours; 7 days is the audit-window default."
+  type        = number
+  default     = 7
+
+  validation {
+    condition     = var.expiration_days >= 1 && var.expiration_days <= 90
+    error_message = "expiration_days must be between 1 and 90 inclusive."
+  }
+}

package/dist/terraform/modules/data/s3-backups-bucket/main.tf

@@ -0,0 +1,123 @@
+################################################################################
+# S3 Backups Bucket — Data Module
+#
+# Separate bucket for pre-destructive-migration CSV exports and other
+# operational snapshots. Distinct from the primary storage bucket because:
+#
+#   - No CORS (client browsers never read this bucket)
+#   - Block public access fully (public-access tickets cannot accidentally
+#     grant access via aws_s3_bucket_public_access_block)
+#   - Server-side encryption on by default
+#   - Lifecycle rule auto-expires `pre-drop/` objects after 90 days so cost
+#     stays bounded without a separate sweeper
+#   - HTTPS-only bucket policy
+#
+# Used by:
+#   - packages/database-pg/drizzle/0027_thread_cleanup_drops.sql (U5 of the
+#     thread-detail cleanup plan) via `aws_s3.query_export_to_s3` calls.
+#   - Any future destructive migration that wants a pre-apply row-data
+#     snapshot.
+#
+# Pairs with an IAM role on the Aurora cluster (see
+# `terraform/modules/data/aurora-postgres/main.tf`) so the cluster can
+# PutObject directly without credentials in the SQL file.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "Name of the S3 backups bucket"
+  type        = string
+}
+
+resource "aws_s3_bucket" "backups" {
+  bucket = var.bucket_name
+
+  tags = {
+    Name  = var.bucket_name
+    Stage = var.stage
+    # Identifies the bucket's purpose so operators can spot accidental reads
+    # in CloudTrail and so cost-allocation tags split backups out of the
+    # primary storage bucket.
+    Purpose = "operational-backups"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "backups" {
+  bucket = aws_s3_bucket.backups.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "backups" {
+  bucket = aws_s3_bucket.backups.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "backups" {
+  bucket = aws_s3_bucket.backups.id
+
+  rule {
+    id     = "expire-pre-drop-snapshots"
+    status = "Enabled"
+
+    filter {
+      prefix = "pre-drop/"
+    }
+
+    expiration {
+      days = 90
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "backups_https_only" {
+  bucket = aws_s3_bucket.backups.id
+
+  # aws_s3_bucket_public_access_block must apply first; otherwise account-
+  # level BPA defaults can intermittently reject the bucket-policy PUT with
+  # AccessDenied during initial apply.
+  depends_on = [aws_s3_bucket_public_access_block.backups]
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid       = "EnforceHTTPS"
+        Effect    = "Deny"
+        Principal = "*"
+        Action    = "s3:*"
+        Resource = [
+          aws_s3_bucket.backups.arn,
+          "${aws_s3_bucket.backups.arn}/*",
+        ]
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      },
+    ]
+  })
+}
+
+output "bucket_name" {
+  description = "Name of the S3 backups bucket"
+  value       = aws_s3_bucket.backups.id
+}
+
+output "bucket_arn" {
+  description = "ARN of the S3 backups bucket"
+  value       = aws_s3_bucket.backups.arn
+}

package/dist/terraform/modules/data/s3-buckets/main.tf

@@ -35,6 +35,14 @@ resource "aws_s3_bucket" "main" {
   }
 }
 
+resource "aws_s3_bucket_versioning" "main" {
+  bucket = aws_s3_bucket.main.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_bucket_cors_configuration" "main" {
   bucket = aws_s3_bucket.main.id
 
@@ -47,6 +55,11 @@ resource "aws_s3_bucket_cors_configuration" "main" {
   }
 }
 
+resource "aws_s3_bucket_notification" "eventbridge" {
+  bucket      = aws_s3_bucket.main.id
+  eventbridge = true
+}
+
 resource "aws_s3_bucket_policy" "https_only" {
   bucket = aws_s3_bucket.main.id
 

package/dist/terraform/modules/foundation/cognito/variables.tf

@@ -107,20 +107,23 @@ variable "admin_logout_urls" {
 }
 
 variable "mobile_callback_urls" {
-  description = "OAuth callback URLs for the mobile client"
+  description = "OAuth callback URLs for the mobile client. Host apps that embed the SDK register their own deep-link here. Proper per-host app client isolation is 0.3.0 work — this is the stopgap capture of the drift from the CLI-applied URIs."
   type        = list(string)
   default = [
     "exp://localhost:8081",
     "thinkwork://",
     "thinkwork://auth/callback",
+    "myapp://",
+    "myapp://oauth/callback",
   ]
 }
 
 variable "mobile_logout_urls" {
-  description = "OAuth logout URLs for the mobile client"
+  description = "OAuth logout URLs for the mobile client. Host apps that embed the SDK register their own deep-link here (see `mobile_callback_urls` for rationale)."
   type        = list(string)
   default = [
     "exp://localhost:8081",
     "thinkwork://",
+    "myapp://",
   ]
 }